Menu
▾
▴
Re: [Cmpforopenssl-devel] Interop cmpclient with EJBCA
|
From: VP Dominic-M. <MV...@mo...> - 2012-10-10 12:03:00
|
Hi Martin, We need to implement a CMPv2 client for business purpose and we are exploring the option of using opensource for this. Cmpforopenssl seems to be a good option so we are exploring more on this. Regarding interoperability with EJBCA, Initial request (ir) message exchange is working fine after configuring EJBCA CMP in RA mode and re-deploying EJBCA. But the 'certificate request' is still failing. Following are the commands that were executed on the cmpforopenssl cmpclient, Initial request: ./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --ir --user user1 --password password --newclcert user1-cert.der --newkey user1-key.pem --subject "C=IN,CN=User1" This command was successful and the initial client certificate was successfully received. Certificate request: ./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --srvcert ~/Downloads/AdminCA1.cacert.pem --cr --user user1 --password password --newclcert user1-cert-new.der --newkey user1-key-new.pem --clcert user1-cert.der --key user1-key.pem This command failed. and the following error was observed on the EJBCA side. 15:48:28,521 INFO [CmpServlet] CMP message received from: 127.0.0.1. 15:48:28,535 ERROR [CrmfMessageHandler] Could not create CmpPbeVerifyer 15:48:28,538 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1, process time 15 Any idea why i am getting this error ? Packet capture is attached. Regards Dominic -----Original Message----- From: Martin Peylo [mailto:cmp...@iz...] Sent: 10 October 2012 13:16 To: dominic peter Cc: cmp...@li... Subject: Re: [Cmpforopenssl-devel] Interop cmpclient with EJBCA Hi Dominic, did you configure EJBCA as described in <http://sourceforge.net/apps/mediawiki/cmpforopenssl/index.php?title=EJBCA>? There's also a way to do that RegTokenPwd thing in the code if you really need that. Unfortunately in this very moment I lack the time to give a good explanation - come back to me if you don't find it. NB: try using the OpenSSL app which you can use with "openssl cmp ...". I just saw that the --help is broken somehow but there is on openssl_cmp.pod in the documentation explaining its usage. The cmpclient will not be updated in the future and probably removed soon. Just interested: Are you using CMP for research or business? If you're developing on the code, we're always open for contributions and bug reports. Please attach Wireshark traces on further queries, that makes it easy to check out what's going on. Kind regards, Martin On Tue, Oct 9, 2012 at 2:51 PM, dominic peter <dom...@gm...> wrote: > Hi, > I am using cmpforopenssl version and EJBCA 4.0.12 Has anyone tried to > interop cmpforopenssl client with EJBCA. > > I am trying to send an 'ir' request to EJBCA from the cmpclient using > the following command, > > ./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp > --srvcert myAdminCA.cacert.pem --ir --user test1 --password test1 > --newclcert test1.pem --newkey test1.key --subject > "C=IN,ST=KAR,L=TEST,O=TEST,OU=EN,CN=EETest1" > > I am seeing the following error on the EJBCA after sending the 'ir' > request from the client, > > 15:40:36,975 ERROR [CrmfMessageHandler] Could not extract password > from CRMF request using the RegTokenPwd authentication module > 15:40:36,997 INFO [CmpServlet] Sent a CMP response to: 127.0.0.1, > process time 217. > > On the cmpclient i am seeing the following error, > > INFO: Sending Initialization Request > ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE > 401 > 3078551176:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong > tag:tasn_dec.c:1319: > 3078551176:error:0D07803A:asn1 encoding > routines:ASN1_ITEM_EX_D2I:nested > asn1 error:tasn_dec.c:381:Type=X509 > 3078551176:error:32090087:CMP routines:CMP_doInitialRequestSeq:pkibody > error:cmp_ses.c:384:bodytype=23, error="PKIStatus: rejection, > PKIFailureInfo: wrongAuthority" > > And ideas ? > > Thanks in advance. > > Regards > Dominic > > ---------------------------------------------------------------------- > -------- Don't let slow site performance ruin your business. Deploy > New Relic APM Deploy New Relic app performance management and know > exactly what is happening inside your Ruby, Python, PHP, Java, and > .NET app Try New Relic at no cost today and get our sweet Data Nerd > shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Cmpforopenssl-devel mailing list > Cmp...@li... > https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel > ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Cmpforopenssl-devel mailing list Cmp...@li... https://lists.sourceforge.net/lists/listinfo/cmpforopenssl-devel |